-
-
Prompt to fix the issues
-
Impact potential
Here is the text formatted into the requested structure:
Inspiration
The inspiration for this AI-powered security scanner came from a fundamental gap in the developer tools ecosystem. As someone who has worked with both large enterprises and indie developers, We noticed that enterprise companies have access to sophisticated security scanning tools like SAST/DAST scanners, compliance automation, and dedicated security teams. However, indie developers and small teams are left with expensive, complex tools that don't fit their workflow or budget.
The turning point was seeing talented indie developers launch promising applications only to face security vulnerabilities that could have been caught early. Many of these developers either:
- Skip security scanning entirely due to complexity
- Use basic tools that generate overwhelming, technical reports they can't act on
- Pay enterprise prices for tools designed for large organizations
We wanted to create a tool that makes enterprise-grade security analysis accessible and affordable to indie developers - something that "just works" with minimal setup, provides actionable insights, and integrates seamlessly into their development workflow.
What it does
This AI-powered security scanner makes enterprise-grade security analysis accessible to indie developers. It allows users to simply provide a public GitHub URL to initiate a comprehensive security scan without needing to manually clone repositories, install tools, or configure scanners.
Unlike traditional scanners that produce purely technical findings, this system uses AI to understand the business context of vulnerabilities. It transforms raw technical data from tools like Semgrep into actionable business intelligence. The analysis provides:
- Executive summaries for business stakeholders.
- Risk-prioritized recommendations based on business impact.
- Compliance mappings to standards like OWASP, CWE, PCI-DSS, and SOC 2.
- Natural language explanations of complex vulnerabilities.
- Specific remediation guidance with code examples.
The tool is designed with a focus on indie developers, offering a guided, step-by-step workflow, transparent pricing, and educational content to help them improve their security practices.
How we built it
The project was built in three main phases, focusing on a modular and extensible architecture.
Phase 1: Core Security Engine (Python Backend) We started by building the fundamental security scanning capability using Python and Semgrep. The backend follows a clean pipeline: input validation for GitHub URLs, temporary repository cloning with automatic cleanup, parallel security scanning with multiple rulesets, and processing the results into a structured JSON format. This entire engine was wrapped in a Model Context Protocol (MCP) server, creating a standardized interface for AI agents.
Phase 2: AI Analysis Layer - Strands Agent (AWS Bedrock Integration) Next, we integrated an intelligent analysis layer using AWS Bedrock and Claude 3.5 Sonnet. This layer takes the structured JSON output from the security engine and uses contextual prompt engineering to transform technical findings. It’s responsible for generating business risk prioritization, compliance mappings, and natural language explanations with remediation guidance.
Phase 3: User Experience (React Frontend) The final piece was an intuitive user interface built with React. The frontend emphasizes a simple, guided workflow to take users from connecting their repository to viewing the final report. It was designed to build trust with indicators like SOC 2 compliance badges and testimonials, and to be educational with developer-friendly explanations of security concepts.
Challenges we ran into
- GitHub Rate Limiting and Performance: we encountered issues with GitHub API rate limits and performance degradation when scanning large repositories. Wesolved this by implementing intelligent cloning strategies like shallow cloning (
--depth 1), automatic cleanup of temporary directories, and timeout handling. - AI Prompt Engineering: Getting consistent and actionable analysis from the LLM was a challenge. It required extensive iteration on prompt engineering, creating structured templates, and building context-aware logic to ensure the AI understood business impact and provided reliable categorization.
- User Experience for Non-Security Experts: A major challenge was making security scanning approachable for indie developers who aren't security experts. We addressed this with a user-centric design that features a simple few-step workflow, plain language explanations, and visual progress indicators.
- MCP Protocol Implementation: Implementing the Model Context Protocol correctly required careful adherence to its specifications, including proper JSON-RPC message handling, standardized tool schema definitions, and robust error handling to ensure seamless integration with AI agents.
Challenges we ran into
- Creating effective Semgrep taint analysis patterns for complex vulnerabilities
- Balancing rule sensitivity to avoid false positives while catching real threats
- Complex AI agent orchestration requiring careful prompt engineering
- Integrating financial loss calculations with technical vulnerability data
- Managing MCP server lifecycle and agent communication reliability
Custom Semgrep Rules
Payment Credentials Detection: pattern-either: - pattern: stripe.api_key = "$KEY" - pattern: Stripe("$KEY") - pattern: paypal.client_id = "$KEY"
SQL Injection via Taint Analysis:
pattern-sources:
- pattern: $REQ.params.$VAR
pattern-sinks:
- pattern: conn.execute(SELECT * FROM users WHERE id = ${$VAR})
AI Prompt Injection: pattern-sources: - pattern: user_input = $REQ.body.prompt pattern-sinks: - pattern: llm.generate(f"{system_prompt} {user_input}")
Remote Code Execution: pattern-sources: - pattern: code = $REQ.body.code pattern-sinks: - pattern: eval(code)
Built With
- amazon-web-services
- javascript
- mcp
- python
- semgrep
Log in or sign up for Devpost to join the conversation.